github.com/fisco-bcos/crypto@v0.0.0-20200202032121-bd8ab0b5d4f1/tls/key_schedule.go (about)

     1  // Copyright 2018 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"github.com/FISCO-BCOS/crypto/elliptic"
     9  	"crypto/hmac"
    10  	"crypto/subtle"
    11  	"errors"
    12  	"golang.org/x/crypto/cryptobyte"
    13  	"golang.org/x/crypto/curve25519"
    14  	"golang.org/x/crypto/hkdf"
    15  	"hash"
    16  	"io"
    17  	"math/big"
    18  )
    19  
    20  // This file contains the functions necessary to compute the TLS 1.3 key
    21  // schedule. See RFC 8446, Section 7.
    22  
    23  const (
    24  	resumptionBinderLabel         = "res binder"
    25  	clientHandshakeTrafficLabel   = "c hs traffic"
    26  	serverHandshakeTrafficLabel   = "s hs traffic"
    27  	clientApplicationTrafficLabel = "c ap traffic"
    28  	serverApplicationTrafficLabel = "s ap traffic"
    29  	exporterLabel                 = "exp master"
    30  	resumptionLabel               = "res master"
    31  	trafficUpdateLabel            = "traffic upd"
    32  )
    33  
    34  // expandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1.
    35  func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []byte, length int) []byte {
    36  	var hkdfLabel cryptobyte.Builder
    37  	hkdfLabel.AddUint16(uint16(length))
    38  	hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
    39  		b.AddBytes([]byte("tls13 "))
    40  		b.AddBytes([]byte(label))
    41  	})
    42  	hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
    43  		b.AddBytes(context)
    44  	})
    45  	out := make([]byte, length)
    46  	n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
    47  	if err != nil || n != length {
    48  		panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
    49  	}
    50  	return out
    51  }
    52  
    53  // deriveSecret implements Derive-Secret from RFC 8446, Section 7.1.
    54  func (c *cipherSuiteTLS13) deriveSecret(secret []byte, label string, transcript hash.Hash) []byte {
    55  	if transcript == nil {
    56  		transcript = c.hash.New()
    57  	}
    58  	return c.expandLabel(secret, label, transcript.Sum(nil), c.hash.Size())
    59  }
    60  
    61  // extract implements HKDF-Extract with the cipher suite hash.
    62  func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
    63  	if newSecret == nil {
    64  		newSecret = make([]byte, c.hash.Size())
    65  	}
    66  	return hkdf.Extract(c.hash.New, newSecret, currentSecret)
    67  }
    68  
    69  // nextTrafficSecret generates the next traffic secret, given the current one,
    70  // according to RFC 8446, Section 7.2.
    71  func (c *cipherSuiteTLS13) nextTrafficSecret(trafficSecret []byte) []byte {
    72  	return c.expandLabel(trafficSecret, trafficUpdateLabel, nil, c.hash.Size())
    73  }
    74  
    75  // trafficKey generates traffic keys according to RFC 8446, Section 7.3.
    76  func (c *cipherSuiteTLS13) trafficKey(trafficSecret []byte) (key, iv []byte) {
    77  	key = c.expandLabel(trafficSecret, "key", nil, c.keyLen)
    78  	iv = c.expandLabel(trafficSecret, "iv", nil, aeadNonceLength)
    79  	return
    80  }
    81  
    82  // finishedHash generates the Finished verify_data or PskBinderEntry according
    83  // to RFC 8446, Section 4.4.4. See sections 4.4 and 4.2.11.2 for the baseKey
    84  // selection.
    85  func (c *cipherSuiteTLS13) finishedHash(baseKey []byte, transcript hash.Hash) []byte {
    86  	finishedKey := c.expandLabel(baseKey, "finished", nil, c.hash.Size())
    87  	verifyData := hmac.New(c.hash.New, finishedKey)
    88  	verifyData.Write(transcript.Sum(nil))
    89  	return verifyData.Sum(nil)
    90  }
    91  
    92  // exportKeyingMaterial implements RFC5705 exporters for TLS 1.3 according to
    93  // RFC 8446, Section 7.5.
    94  func (c *cipherSuiteTLS13) exportKeyingMaterial(masterSecret []byte, transcript hash.Hash) func(string, []byte, int) ([]byte, error) {
    95  	expMasterSecret := c.deriveSecret(masterSecret, exporterLabel, transcript)
    96  	return func(label string, context []byte, length int) ([]byte, error) {
    97  		secret := c.deriveSecret(expMasterSecret, label, nil)
    98  		h := c.hash.New()
    99  		h.Write(context)
   100  		return c.expandLabel(secret, "exporter", h.Sum(nil), length), nil
   101  	}
   102  }
   103  
   104  // ecdheParameters implements Diffie-Hellman with either NIST curves or X25519,
   105  // according to RFC 8446, Section 4.2.8.2.
   106  type ecdheParameters interface {
   107  	CurveID() CurveID
   108  	PublicKey() []byte
   109  	SharedKey(peerPublicKey []byte) []byte
   110  }
   111  
   112  func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters, error) {
   113  	if curveID == X25519 {
   114  		p := &x25519Parameters{}
   115  		if _, err := io.ReadFull(rand, p.privateKey[:]); err != nil {
   116  			return nil, err
   117  		}
   118  		curve25519.ScalarBaseMult(&p.publicKey, &p.privateKey)
   119  		return p, nil
   120  	}
   121  
   122  	curve, ok := curveForCurveID(curveID)
   123  	if !ok {
   124  		return nil, errors.New("tls: internal error: unsupported curve")
   125  	}
   126  
   127  	p := &nistParameters{curveID: curveID}
   128  	var err error
   129  	p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
   130  	if err != nil {
   131  		return nil, err
   132  	}
   133  	return p, nil
   134  }
   135  
   136  func curveForCurveID(id CurveID) (elliptic.Curve, bool) {
   137  	switch id {
   138  	case CurveP256:
   139  		return elliptic.P256(), true
   140  	case CurveP384:
   141  		return elliptic.P384(), true
   142  	case CurveP521:
   143  		return elliptic.P521(), true
   144  	case CurveSecp256k1:
   145  		return elliptic.Secp256k1(), true
   146  	case CurveSm2p256v1:
   147  		return elliptic.Sm2p256v1(), true
   148  	default:
   149  		return nil, false
   150  	}
   151  }
   152  
   153  type nistParameters struct {
   154  	privateKey []byte
   155  	x, y       *big.Int // public key
   156  	curveID    CurveID
   157  }
   158  
   159  func (p *nistParameters) CurveID() CurveID {
   160  	return p.curveID
   161  }
   162  
   163  func (p *nistParameters) PublicKey() []byte {
   164  	curve, _ := curveForCurveID(p.curveID)
   165  	return elliptic.Marshal(curve, p.x, p.y)
   166  }
   167  
   168  func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
   169  	curve, _ := curveForCurveID(p.curveID)
   170  	// Unmarshal also checks whether the given point is on the curve.
   171  	x, y := elliptic.Unmarshal(curve, peerPublicKey)
   172  	if x == nil {
   173  		return nil
   174  	}
   175  
   176  	xShared, _ := curve.ScalarMult(x, y, p.privateKey)
   177  	sharedKey := make([]byte, (curve.Params().BitSize+7)>>3)
   178  	xBytes := xShared.Bytes()
   179  	copy(sharedKey[len(sharedKey)-len(xBytes):], xBytes)
   180  
   181  	return sharedKey
   182  }
   183  
   184  type x25519Parameters struct {
   185  	privateKey [32]byte
   186  	publicKey  [32]byte
   187  }
   188  
   189  func (p *x25519Parameters) CurveID() CurveID {
   190  	return X25519
   191  }
   192  
   193  func (p *x25519Parameters) PublicKey() []byte {
   194  	return p.publicKey[:]
   195  }
   196  
   197  func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte {
   198  	if len(peerPublicKey) != 32 {
   199  		return nil
   200  	}
   201  
   202  	var theirPublicKey, sharedKey [32]byte
   203  	copy(theirPublicKey[:], peerPublicKey)
   204  	curve25519.ScalarMult(&sharedKey, &p.privateKey, &theirPublicKey)
   205  
   206  	// Check for low-order inputs. See RFC 8422, Section 5.11.
   207  	var allZeroes [32]byte
   208  	if subtle.ConstantTimeCompare(allZeroes[:], sharedKey[:]) == 1 {
   209  		return nil
   210  	}
   211  
   212  	return sharedKey[:]
   213  }